OpenLDAP Everywhere

Step-by-step instructions for sharing e-mail directories, having a unified login and sharing files in a mixed environment.

The purpose of this article is to
demonstrate the use of OpenLDAP as the core directory service for a
heterogeneous environment. The LDAP server provides a shared e-mail
directory, a unified login for Linux and Windows users, automount
of home directories and file sharing for both Linux and Windows
clients.

Midwest Tool & Die has been using OpenLDAP for three
years, and the performance has been flawless. We have experienced
100% uptime for the directory. The company saw the first big
benefit from sharing e-mail contacts in the directory. Now, we have
unified logon from any networked computer. Our computer users can
access the same file storage through Windows/Samba or through
Linux/NFS/automount. The result is seamless access to network
services.

Figure 1. OpenLDAP Mixed
Environment

A simple mixed environment used in the examples in this
article is shown in Figure 1. The configuration discussed in this
article does not document the use of SSL. The ldapsync.pl program
it uses may expose your LDAP manager password. As a result, Windows
clients may cache user passwords, thereby creating a new risk to
Linux security. Review your security needs with caution and
prudence, and attempt this configuration at your own risk. Neither
the authors, nor our employer, Midwest Tool & Die, takes any
responsibility for your security.

LDAP Server Installation and
Configuration

The LDAP server we discuss was installed using RPM binary
packages and uses openldap-2.0.11-8 on Red Hat 7.1. You also need
to have the auth_ldap and nss_ldap packages. This article assumes a
domain name of foo.com.

To use the most recent source, follow the instructions at
www.openldap.org/doc/admin/quickstart.html
to download and install OpenLDAP. Edit the OpenLDAP server
configuration file, /etc/openldap/slapd.conf as follows:

The LDAP schemas define object classes and attributes that
make up the directory entries. With the edits above, the hard work
of defining schemas to fit our uses has been done. The schemas that
we need, listed in the first section of slapd.conf, already have
been defined and packaged with the RPM installation.

If you find that you need to add an objectClass or an
attribute for your directory, see the OpenLDAP admin guide at
www.openldap.org/doc/admin20/schema.html.
We'll use the default database type ldbm, and our example uses the
LDAP domain component. Therefore, foo.com becomes dc=foo,dc=com. In
addition, the manager has full write access to LDAP entries.

In the previous Perl line, replace
salt_string with a two-character salt, and
passwd with the plain-text version of the
password. Paste the resulting encrypted password into slapd.conf as
shown above.

The index lines enhance performance for attributes that are
often queried. Access control restricts access to the userPassword
entry, but the user and manager may modify the entry. For all other
entries, the manager has write access, and everyone else is granted
read access.

Novell's Directory Services is a competitive product to Microsoft's Active Directory in much the same way that the Saturn V is a competitive product to those dinky little model rockets used at the local large parking lot.